Captive portal + decryption + squid: https problem.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive portal + decryption + squid: https problem.

L1 Bithead

Hi,

I try to configure path for users to access the Internet. I use Palo Alto and squid. But not everything works as I expected.

The path:

user---Palo Alto ---squid ---Internet.

Squid is behind Palo Alto because of citrix users. I want to control citrix users access and in scenario: user---squid---Palo Alto--Internet, it's not possible. Squid changes source ports.

 

Captive portal and decryption are configured.

Everything works for unknown users who reach http. User authentication by kerberos protocol succeed. If known user opens https, traffic is decrypted and website is loaded correctly with certificate from Palo Alto.

But when unknown user tries to open https Palo Alto doesn't redirect him to captive portal.

On user station wireshark shows:

 

user: connect website:443

PA: 200 connection established

user: Client Hello

PA: Server Hello

PA: Certificate

user: Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request

PA: Change Cipher Spec, Encrypted Handshake Message

user:  Application Data (GET website)

PA: sometimes ACK.

 After this Palo Alto sends RST to squid and client station (Chomre shows connection reset), sometimes communication just stops (page loads into infinity)

 

PAN-OS 7.1.2

 

Tryed this with user-squid-PA-Internet, the same problem.

 

Any idea why this happens?

Thank you for any help.

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Out of curiosity do you actually have a captive portal profile built out?

I set up captive portal browser-challenge rule, enabled captive portal with SSL/TLS Service Profile and Authentication Profile in redirect mode, on zone enabled User Identification, on inteface set up management profile with permitted Response Pages.

I think thats all I need for captive portal.

 

After few tests I discoverd the problem occurs when https is tunneling. Maybe palo alto has problem with decryption and redirection when https goes via another port e.g. 8080.

  • 2266 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!